2022-11-22 18:52:40 -08:00
|
|
|
import pytest
|
2022-12-15 14:55:33 -08:00
|
|
|
from django.test.client import Client
|
2022-11-22 18:52:40 -08:00
|
|
|
|
2022-11-27 10:09:46 -08:00
|
|
|
from activities.models import Post
|
2022-12-15 14:55:33 -08:00
|
|
|
from users.models import Identity
|
2022-11-27 10:09:46 -08:00
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.django_db
|
2022-12-15 14:55:33 -08:00
|
|
|
def test_post_delete_security(client_with_identity: Client, other_identity: Identity):
|
|
|
|
"""
|
|
|
|
Tests that you can't delete other users' posts with URL fiddling
|
|
|
|
"""
|
2022-11-27 10:09:46 -08:00
|
|
|
other_post = Post.objects.create(
|
|
|
|
content="<p>OTHER POST!</p>",
|
|
|
|
author=other_identity,
|
|
|
|
local=True,
|
|
|
|
visibility=Post.Visibilities.public,
|
|
|
|
)
|
2022-12-15 14:55:33 -08:00
|
|
|
response = client_with_identity.get(other_post.urls.action_delete)
|
|
|
|
assert response.status_code == 403
|